Posted on behalf of Dan Bleaken, Senior Malware Analyst, Symantec Hosted Services
As reported in the June MessageLabs Intelligence Report, MessageLabs Intelligence is seeing a great variety of different threats relating to the upcoming FIFA World Cup.
We’ve seen 419-style scams, including emails offering tickets to games; fake accommodation providers; offers of contracts to supply clothing and boots; offers of free mobile phones; scams looking for companies to provide additional electricity/power for the World Cup; and more. All designed to ultimately obtain the recipient’s personal details, and/or money by means of deception and fraud.
MessageLabs Intelligence has also seen fake World Cup tickets for sale on well known auction websites, or advertisements offering tickets, that in reality are unlikely to give the buyer access to any games.
Moreover, we’ve seen a huge volume of spam that contains World Cup related content, but is actually not about the World Cup. An example is a spam email advertising male enhancement products which contains randomized subject lines relating to football (soccer).
All of the above is very much expected surrounding a global event such as the World Cup. Spammers are known to automatically scrape text from hundreds of websites (including news sites) and spray random chuncks of this text into their messages in an attempt to make each message unique and confuse some of the more basic spam detection techniques.
MessageLabs Intelligence has seen the World Cup used in malicious emails, as reported in the May MessageLabs Intelligence Report, but in particular, we have seen an increase in targeted attacks. Targeted attacks are arguably the most damaging internet threat and we have blogged about several related to the World Cup here: http://www.symantec.com/connect/blogs/targeted-attack-uses-fifa-world-cup-2010-hook, http://www.symantec.com/connect/blogs/fifa-world-cup-used-lure-victims-targeted-attack, http://www.symantec.com/connect/blogs/brazilian-world-cup-related-targeted-attack.
More on 419 scams and advertisements for fake or useless tickets
The basic premise of a 419 scam (also commonly referred to as an advance fee fraud scam) is that the recipient is entitled to, or has won a large sum of money, a prize, a holiday, or some other desirable thing. In order to get it, they need to contact someone (usually a webmail address but sometimes a phone number), or email personal details to a webmail address.
In addition to it being highly likely that the recipient’s email address would then be added to the scammers’ list of targets (lining up the recipient for many more scam emails in future), the next stage would almost certainly be for the scammers to phone or email back, to get the victim to send an advance fee, in order to release the supposed money. As is so often the case with advance fee fraud scams or 419s, the initial email is just the beginning, or the first stage, of an often quite elaborate scam.
If drawn in, the victim is likely asked repeatedly for advance fees, for any purpose ranging from ‘admin fee’, ‘release fee’, ‘international transfer fee’ and so on, all with the promise of finally transferring the money. Eventually the victim would realize that they are the victim of a scam and just give up.
Something we often see is requests to ‘please keep this confidential’. Scammers know that the moment a potential victim shares what they have seen with someone else, the chances of the attack being successful are much, much lower. Also generally people like to have a secret - many recipients that have fallen for the prospect of being rich would find it quite exciting that it’s all a big secret.
Traditionally the vast majority of 419 scams are sent from webmail accounts. Sending the scam via a webmail adds legitimacy to the mail, makes the email harder for security vendors to block, and helps to hide the identity of the scammers.
The most common World Cup scam is the simple (and classic) lottery scam. These scams have been around for years and the concept is very simple, but the precise details of the scams are always changing. They inform the recipient that they have won a sum of money in a lottery.
The details of the scam are often in the email itself, but sometimes they are in an attached file, usually a Word document or a PDF. In the example above the recipient is invited to reply to the email address given, or to open the attached PDF, which contains a wholly different set of contact details. It’s likely this scam gang have a whole array of fake names and email accounts – it doesn’t matter how recipients respond, all responses are ‘processed’ in stages that are probably defined by the scammers long before the emails are sent. These scamming operations are polished and highly organized. To potential victims replying to the scam email, or phoning one of the telephone numbers provided, the scammers would come across as professional, friendly and helpful – it’s all part of the plan to deceive.
The recipient is asked for personal details such as name, age, occupation, phone number. In responding, they would be led by the scammers into believing that the winnings just need to be transferred, and to do so the victim must provide a ‘release fee’, or ‘administration fee’ or similar. The scammers would continue asking for more and more fees until the victim realizes that they have been scammed, and gives up. Victims often tell nobody that they have been scammed due to sheer embarrassment.
Here’s another example, again with a PDF attachment:
This one claims to be the ‘SOUTH AFRICA WORLD CUP LOTTERY’, but uses the logo for the United Kingdom National Lottery. Bizarre! And a picture of a big pile of cash to try and further tempt the recipient.
Lottery scams come in a great variety of different styles, some quite elaborate (like the examples above), some very simple, or a bit of a mess, or both!
And another example:
The Global Mega-Million Lottery Promotion (South Africa 2010).doc
SOUTH AFRICA FIFA WORLD CUP 2010.doc
This example uses what seems to be a very popular image with World Cup scammers, which is the image of Nelson Mandela holding on to the World Cup with a big smile on his face.
Not all scams come with attachments. This time all the details of the scam are in the email itself, rather than in an attachment.
Some scammers try to throw everything at the recipient. The promise of money, the promise of tickets, the promise of accommodation...
This email scam offers a ‘Prizes & Tickets Bonanza’. The ‘lucky’ recipient is offered:
Flights to South Africa
Tickets to matches
The scammers attempt to make the email look more legitimate, by providing links to the official FIFA website’s information about tickets, and match fixtures.
All the recipient needs to do is forward their personal details; name, contact address, date of birth, occupation and so on. What follows, will be anything but what is advertised in the email. The victim will be led through a series of communications with the scammers, and almost certainly be asked to part with money in advance to secure their winnings and/or tickets – the advance fee fraud.
Recipients as always should be on the lookout for scams such as the examples above. Emails that arrive unexpectedly claiming that the recipient has won large sums of money, and asking for personal details, are usually too good to be true.
Symantec Hosted Services have patented advanced 419 scam detection, which not only detects the suspicious phrases and structures of 419s, but actively hunts for new 419s from a large variety of sources and adds detection in seconds for all of our clients.
Be careful buying your tickets
The World cup is a global event, and excited fans from all over the world are jostling to get their hands on tickets to see their favorite teams in South Africa.
Very often visitors to auction sites will see tickets for sale, generally the organizers of events do not approve of this, especially if prices are inflated over and above the face value. The FIFA World Cup is no exception. The official FIFA World Cup website states its policy of transfer/resale of tickets (http://www.sa2010.gov.za/ticket-information/42-transfer-tickets
), it clearly states that 'ticket holders may not sell, offer for sale, resell, donate or otherwise transfer their ticket in any way, without the specific prior written approval of FIFA'.
Despite this, MessageLabs Intelligence found large numbers of World Cup tickets for sale on a well known auction site with just a few simple searches. Some of these advertisements will of course be legitimate traders that have obtained tickets, and for one reason or another cannot go, but according to FIFA those people don’t need to do that ‘For those customers who will purchase tickets to the 2010 FIFA World Cup with a real desire to attend, but may not be able to attend for health or other legitimate reasons, FIFA will establish a Ticket Transfer Policy. More information about the Ticket Transfer Policy will be provided at a later date’. However, many of the adverts will be scams in which buyers will send money, only to receive nothing in return. Or, buyers pay much, much higher than face value. It’s a minefield. The owners of auction sites do their best to police this activity, but there is only so much they can do to keep up with the criminals, who find increasingly effective ways to get their ads listed.
It’s better to be safe than sorry. Also under the advice on FIFA’s website above, it says ‘FIFA strongly recommends that fans only purchase tickets through authorized channels, because ticket products obtained from unauthorized parties may be invalid and access to the stadium could be denied’.
Here’s a typical snapshot of what we found:
This is just a selection, there were lots more ads. Looking more closely at one of the ads:
Extra details added by the seller:
Sure, a buyer may see the ad, and pay the seller. And the buyer may receive some tickets. But will they be granted access to the stadium when they try to use the tickets? Maybe not.
Note that the seller covers themselves in the event of that unfortunate outcome:'
‘I will not refund the sales amount in case the FIFA does not agree’ – in other words ‘YOU’RE ON YOUR OWN!’. It’s not clear how the seller would ‘personalize the tickets to the buyer’, but one thing is for sure, if FIFA officials get even the slightest inkling that tickets have been resold without the consent of FIFA, the ticket holder will be denied access to the game. Perhaps a risk that some football fans are willing to take, but I would imagine most football fans would find that thought horrifying, especially having traveled to South Africa.